set_outliers_detection_parameter
Use this command to modify one or more parameters of the outliers detection configuration.
Important: Do not modify the defaults unless you are working with someone knowledgeable
in outlier mining.
This API is available in Guardium V9.5 and later.
GuardAPI syntax
set_outliers_detection_parameter parameter_name=name parameter_value=value
Parameters
Parameter | Value type | Description |
---|---|---|
cleanupKeepDays | String | The number of days to retain model data on the collector. Default = 90 |
sensitiveObjectGroup | Comma separated list of strings | Adds additional object groups (tables, views, and more) to the outliers detection algorithm. Use this command to find a group name: grdapi list_group_by_desc desc=<group name>. Factory setting: privUsersGroup=Sensitive Objects |
sensitiveFileGroup | Comma separated list of strings | Adds additional groups to the outlier detection algorithm. Use this command to find a group name: grdapi list_group_by_desc desc=[group name]Factory setting: privUsersGroup=Sensitive Files |
privUsersGroup | Comma separated list of strings | Adds additional user groups to the outlier detection algorithm. Use this command to find a group name: grdapi list_group_by_desc desc=[group name]Factory setting: privUsersGroup=Admin Users |
minDaysForAlerts | The number of days of activity required before outlier alerts are
produced. The value for this parameter cannot exceed the value of the parameter
budgetTrainingDays. Default = 7 |
|
intervalAlertsThreshold | numeric | The score at which an anomaly becomes an outlier. If lowered,
the system is more sensitive to anomalies: anomalies with a lower score are issued as outliers and
there can be false positives. If raised, then the system is less sensitive to anomalies. Default = 0.99 |
maxMessageAlertsTopScores | integer | High volume outliers only. The number of rows in the Details
tab of a high volume outlier. The rows present details of the highest scoring anomalies that
occurred during the hour. Default = 500 |
maxMessageAlertsSampleSizePerAlertType | integer | Non-high-volume outliers only. This is the number of sample anomalies for a summary alert. Non-high-volume outliers have maxMessageAlertsSampleSizePerAlertType sample rows in no specific order since: the score is not relevant for these outliers; no object is newer than another. Default = 500 |
messageAlertsThreshold | Internal use only. Do not modify. | |
minNumIntervalsForFirstClustering | integer | The time period, in hours, until users are initially assigned to clusters. Valid values:
|
minNumIntervalsForMessageScorers | Internal use only. Do not modify. | |
minNumIntervalsForIntervalScorers | Internal use only. Do not modify. | |
numOfAnalyzeThreads | Internal use only. Do not modify. | |
alertsPerDay | integer | The target number of outliers you want to receive per day. The threshold of
the alert score is based on statistics for the last budgetTrainingDays parameter. The system sends
the outliers with the highest score per hour. There may be fewer outliers than the value of alertsPerDay in a day simply because there weren’t a lot of outliers that day. If there are suddenly many outliers with a score above the threshold, they are reported (and not limited by this parameter). This prevents suppression of an acute situation. |
budgetTrainingDays | integer | The number of days the system looks back for learning. The value for this parameter cannot be less than the value of the parameter minDaysForAlerts. Default = 14. |
demoMode | boolean | Used for demo only. Valid values:
|
nanny.duration.analysis | Internal use only. Do not modify. | |
nanny.duration.clean | Internal use only. Do not modify. | |
nanny.duration.reconfig | Internal use only. Do not modify. | |
nanny.duration.maintenance | Internal use only. Do not modify. | |
runCaseAnalysis | boolean | Used for Advanced threat analytics. Valid values:
|
debugMode | boolean | Controls writing debig details into the debug log. Valid values:
|
clusteringScheduleIntervals | integer | The frequency at which the clustering algorithm runs. To disable clustering, set both this parameter and minNumIntervalsForFirstClustering = 0 |
api_target_host | String |
Specifies the target hosts where the API executes. Valid values:
IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode. |
Examples
Add the sensitive object groups 5, 333, and 156 to the outliers detection algorithm:
grdapi set_outliers_detection_parameter parameter_name=sensitiveObjectGroupIds parameter_value=5,333,156